RE: nasty new url insertion program

["Bowes, Ronald (EST)" <RBowes () gov mb ca>]

It is possible that a script on the page is vulnerable to "http response
splitting".  I would suggest googling it, because I don't have any links
handy, but that would allow somebody to poison the cache of a caching server
between him and his site with a fake web page.

I don't quite understand your questions, but it seems to me that that could
be a possibility.  

Hope that helps!

Ron Bowes
Information Protection Centre
Government Of Manitoba

-----Original Message-----
From: Alex Gogan [mailto:alex () fbi ie] 
Sent: Friday, October 01, 2004 7:21 AM
To: security-basics () securityfocus com
Subject: nasty new url insertion program

Hi All,

Just a quick note, a client rang me this morning in a panic saying the 
site we developed and hosted was compromised, what was happening was 
every time he made a change on the CMS system to one of the pages, where 
there was a URL field it would (he was unaware) insert 
"http://younghotgirls.net/2504/"; it was only when he was checking the 
pages online did he notice this.

Needless to say I told him to download the spy ware and antivirus to try 
and catch this but I must admit I find this troubling.

Has anybody else found or heard of something similar ??

-- 
Alex Gogan
alex () fbi ie
Future Business Intercommunications
~The Complete Internet Services Company~

http://www.fbi.ie
Communications House
11 Leeson Park Villas, Sallymount Avenue, Ranelagh,
Dublin 6, Ireland

Tel:+353.14988588 | Fax: +353.14988589
Web: www.fbi.ie | Email: alex () fbi ie